Heartbleed Update - FAQ
You may have heard about the Heartbleed bug that can potentially affect millions of businesses around the world that operate securely online. Heartbleed was the result of a bug in OpenSSL, a technology used by many websites to privately send data to and from an Internet server. Put in plain terms, this bug meant that web pages that you thought were secure (they showed the little lock icon, and the URL began with https:) were potentially vulnerable. The issue affected as many as two-thirds of the sites on the Internet, including BiblioCommons client catalogs.
Here are the answers to some questions you might have.
Q: When did BiblioCommons first learn about Heartbleed and what did you do?
A: We first learned about the issue on the morning of April 8 and determined that the version of OpenSSL we were using was vulnerable. BiblioCommons engineers updated OpenSSL libraries, rekeyed and reissued our SSL certificates, revoking the old ones, by 4:15 PM EDT.
Q: What information was vulnerable?
A: Any information that appears on or is transmitted through a secure (https) page, including name, barcode, PIN/password, email address, year and month of birth, recently returned items, fines, and other preferences. Note that BiblioCommons does not fetch or store your address or phone number.
Q: What about fines paid through the library? Was credit card data at risk?
A: Fine payments are not directly handled by BiblioCommons. Even if a library is using the BiblioFines module, the actual payments are processed by PayPal which was not affected. If your library supports online fines payment via another system, please check with your library to see if that system was vulnerable to the Open SSL issue.
Q: Do you know if any patron information was comprised?
A: It's not possible for anyone to tell, but at this point we have no reason to believe patron data was compromised.
Q: Why were some sites vulnerable and others not?
A: Not every site uses OpenSSL, and not all versions were affected. Unfortunately, sites such as BiblioCommons using newer and better versions of OpenSSL were vulnerable.
Q: Should I change my PIN?
A: Yes. That's a good idea any time there has been a potential breach of personal information. It’s good practice to change your PIN/password regularly, and use something you don’t use on any other site.
Q: What does my library need to ensure they have done to protect patron information?
A: Whether or not your library needs to take further steps with other services aside from BiblioCommons will depend on those services and the encryption protocol those services use. Please contact your library for further information.
Q: What steps does BiblioCommons have in place to protect patron and other personally identifiable data?
Q: How can I see if my library -- or another service I use that may have my data -- is still vulnerable?
A: You can enter the URL of your library website, or any other, on this site.
At this time, no BiblioCommons library is vulnerable.
Q: Where can I get more information on the Heartbleed vulnerability?
A: You can get more information from the site where the bug was originally reported: http://heartbleed.com/